Hexiosec for wealth & asset management
Two risks every wealth firm carries. We cover both.
The estate attackers can see: your domains, your servers, and the third parties you depend on to run the firm. And the client data you exchange: onboarding, suitability, reporting, fund transactions. Hexiosec ASM maps the first the way an attacker would. Hexiosec Transfer secures the second with end-to-end encryption. Both UK-sovereign, both built by ex-government engineers.
- NCSC ACD 2.0 (ASM)
- Cyber Essentials Plus
- UK Sovereign
- DSIT Ambassador
- Trusted by UK financial institutions
Two directions of risk on the same regulated data.
What attackers can see, including your third parties
Financial firms are prime targets, the external estate is large and often inherited through acquisition, and the outsourcing chain is itself an attack surface the firm is accountable for:
- A large external estate, often grown through acquisition
- Fund administrators, custodians, transfer agents and platforms
- Outsourced IT and the wider supply chain, in scope under FCA operational resilience
Attackers enumerate it; most firms can't.
The client data you exchange
Sensitive data moves in and out of the firm constantly, and the defaults are email and SharePoint:
- Investor onboarding, KYC/AML, and suitability data
- Client reporting and statements
- Fund transaction and M&A due diligence
- Regulatory submissions
Two directions of risk on the same regulated data. Hexiosec covers both.
Two products, one sector. Start where your risk is.
Hexiosec ASM: see what attackers see, including your third parties
Continuous external attack-surface and supply-chain exposure mapping, and defensible answers to operational due diligence and the FCA.
Hexiosec Transfer: secure the client data you exchange
Investor onboarding, client reporting and fund data rooms, exchanged with end-to-end encryption.
See what attackers see, including the third parties you depend on.
Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. The NCSC included Hexiosec ASM in its Active Cyber Defence 2.0 trials.
The exposure you can't see
A forgotten subdomain, an exposed admin panel, an expired certificate, a microsite from a campaign three years ago: attackers find these first. ASM finds them for you, continuously, and shows what an attacker would prioritise.
Third-party and supply-chain exposure
Asset managers run on outsourcing: fund administrators, custodians, transfer agents, platforms, IT providers. Under FCA operational-resilience rules the firm is accountable for these important business services. ASM extends the outside-in view to the third parties in scope.
Defensible answers to operational due diligence and the regulator
Institutional clients and investment consultants run deep ODD, and the FCA expects demonstrable cyber-risk management. ASM gives a defensible, continuously-updated answer to questions about your external exposure and third-party risk.
Continuous monitoring, not a penetration test.
ASM is continuous external attack-surface monitoring, not a penetration test, and not a replacement for your security operations. It complements them by continuously mapping what is exposed, so a point-in-time pen test and an in-house SOC are both working from a current picture.
Secure the client data you exchange.
Investor onboarding, suitability data, client reporting and fund-transaction due diligence all move sensitive data in and out. Hexiosec Transfer is the encrypted channel for it, with no account required on the other side.
Confidentiality by design, with the audit trail your compliance team needs.
Hexiosec Transfer encrypts content end-to-end, so even Hexiosec cannot read what you exchange. The firm retains a full audit trail of transfer events. Transfer is built for secure exchange, not communications surveillance — it is not a market-abuse monitoring or communications-archiving system, and does not replace the tools you use to meet recording and surveillance obligations on advised or dealing activity.
Investor and client onboarding
Collect KYC/AML, identity and suitability information through an encrypted, branded form, with no account for the client. Structured, audited, and unreadable by us.
Fund transaction and M&A data rooms
An admin-controlled, fully-audited data room for fund transactions, secondaries and due diligence: the mid-market, UK-sovereign alternative to enterprise data rooms that charge upwards of £20,000 per deal.
Client reporting and statements
Deliver reports and statements to clients and counterparties with end-to-end encryption, access control and automatic expiry, rather than an email attachment or a SharePoint link.
Mapped to the frameworks a Chief Risk Officer answers to.
FCA operational resilience
Firms must identify important business services and the third parties behind them. ASM evidences continuous monitoring of the external exposure, including in-scope third parties, and Transfer secures the data exchanged across those services.
FCA Consumer Duty
Protecting clients from foreseeable harm includes protecting their data. Zero-knowledge exchange and a defensible, evidenced security posture support good client outcomes.
SYSC & record keeping
Event-level audit trails on every exchange support your Senior Management Arrangements, Systems and Controls (SYSC) record-keeping obligations.
UK GDPR / DPA 2018 (and DORA where EU-facing)
Aligned with UK GDPR and the Data Protection Act 2018, and supports DORA Article 28 third-party-risk expectations where EU-facing. See the compliance page for the full mapping.
- Cyber Essentials Plus (confirmed)
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
- UK sovereign hosting (GCP London)
- UK-registered, no US parent
Built by the engineers who protect governments.
Built by ex-government and defence-intelligence engineers, Cheltenham.
Find your tier on each product.
A quick fit guide, not a pricing table. Each card routes to the full pricing.
ASM
Hexiosec ASM
- Free weekly scans, no card — See your external attack surface at no cost.
- Essential from £99/mo — Up to 200 assets, weekly monitoring.
- Premium from £249/mo — Up to 300 assets, continuous monitoring.
- Enterprise custom pricing — Larger estates, third-party scope and advanced needs.
Transfer
Hexiosec Transfer
- Team £15/user/mo — Smaller teams getting started.
- Business £25/user/mo — Co-branding, 1-year audit retention, admin controls.
- Enterprise custom pricing — Own domain, SSO, signed DPA + residency guarantee, framework procurement, 99.9% SLA, named CSM.
Both products, answered.
What is attack surface management, in plain terms?
The outside-in view of everything attackers can see of your firm: domains, servers, certificates, and the third parties you depend on, mapped continuously.
Does ASM cover our third parties and supply chain?
Yes. ASM extends the outside-in view to the in-scope third parties you are accountable for under FCA operational-resilience rules, so you can evidence that you monitor them.
We have a pen test and a security operations centre — why ASM?
A pen test is a point in time, and a SOC works from what it knows about. ASM continuously maps what is exposed, so both work from a current picture.
Can ASM help us answer operational due diligence and FCA questions?
Yes. A defensible, continuously-updated view of your external exposure and third-party risk.
Does Transfer meet our communications surveillance and recording obligations?
No. Transfer secures exchange with a full event-level audit trail, but it is not a communications-archiving or market-abuse-surveillance system and does not replace the tools you use for those duties.
Is data stored in the UK?
Yes. Both products are UK-hosted, with a signed DPA and residency guarantee on Enterprise.
Can we use Transfer for investor onboarding and fund data rooms?
Yes. Encrypted onboarding forms and admin-controlled, audited data rooms. See the secure-onboarding and data-rooms pages.
How does this compare to Egress?
See the comparison at /switch-from-egress/.
Do the products work together?
They address two different risks — inbound exposure and outbound exchange — and share the same UK-sovereign, ex-government engineering. Most firms start with one and add the other.
Are you FCA aligned?
The platform supports your systems-and-controls, operational-resilience and Consumer Duty obligations. It does not by itself guarantee your compliance. See /transfer/compliance/. DORA applies to EU-facing firms only.
Cover both risks. Start with the one that brought you here.
Most wealth firms start with the risk that's top of mind — seeing what attackers and your third parties expose, or securing the client data you exchange — and add the other when they're ready. Both are free to start.